Find out more about how we use patient information at Gloucestershire Hospitals NHS Foundation Trust. This notice will also apply, where appropriate, to information we hold about patients’ carers relatives and next-of-kin.
If you require the information in this notice in a different language or format, please contact our Patient Advice and Liaison Service (PALS).
What information do we collect from you
Records which this Trust may hold about you may include the following:
- Details about you, such as your address and next of kin
- Any contact the Trust has had with you, such as appointments, clinic visits, emergency appointments, etc
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc
- Relevant information from other health professionals, relatives or those who care for you
Coronavirus (COVID-19) self isolation
Information about patients’ coronavirus (COVID-19) status may be shared with NHS and other partners involved in their care and treatment, along with:
- NHS England
- Public Health England
- the Department of Health
- other government departments where it's legally required, or where it's necessary for the protection of public health or management of the outbreak
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems.
The conditions in paragraphs 2 (management of health care systems), 3 (public health) and 6 (statutory and government purposes) of schedule 1 of the Data Protection Act 2018 are engaged.
Where a patient has tested positive for COVID-19, the results of the test may also be notified to next-of-kin, partners, or people the patient may live with.
Why do we collect your information?
The primary purposes for collecting information are for the provision of healthcare services, and our statutory duty to maintain an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided and of decisions taken in relation to the care and treatment provided.
In addition to routine correspondence relating to treatment and appointments, your contact details (including address, phone number or email address) may also be used to contact you by email, post, SMS or an interactive voice phone call, to obtain feedback on your experience in using Trust services including, but not limited to, the NHS Friends and Family Test (FFT).
You will be able to opt-out of participating in the FFT when you are first contacted. The lawful basis for using your information for this purpose is that it falls within our official authority as a health service provider as we have a contractual obligation to run the FFT.
In addition we have a statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess and monitor the quality of the experience of service users. Your responses to the FFT will be anonymous and will not be traced back to you. Responses to other surveys will be also be anonymous unless it is made clear to you that this is not the case, when we will only proceed with your specific consent.
Your contact details may also be used to set up video-conferencing services.
Pseudonymised aggregated patient data, from which you cannot be individually identified, may be used for service and cost planning to make the best possible use of resources, evaluate clinical practice and compare different ways of working, in order to evaluate how effective and efficient it is in delivering care to patients.
You can also find out more about how the NHS uses and looks after patient data at Understanding Patient Data
Who might we share your information with?
The Trust is one of many organisations working in the health and care system to improve care for patients and the public, and where appropriate will share your information with other organisations or professionals involved in your care, so that you receive good quality care and to prevent you being assessed again or being asked the same questions. Ordinarily information kept by the Trust will be made available to your GP. If you stay in our hospitals your GP will receive a summary of your care and condition when you are discharged. The Trust works with many partner organisations such as Social Care services, educational bodies, housing associations, voluntary and community organisations.
In accordance with National Policy the Trust is increasingly working with other partners as an Integrated Care Service (ICS) known as One Gloucestershire. You may expect information to be shared as part of that service particularly where you are being discharged from care by the Trust and there are ongoing health needs. For further information about the ICS please see: https://www.onegloucestershire.net/who-we-are/. See also information about the JUYI shared care record below.
Staff should discuss with you in general terms what information they are sharing, why and with whom, particularly when aspects of your care are transferred to another organisation.
We will only consider sharing information with other organisations or professionals where we consider it an important part of delivering effective care. However, you have a right to object to your information being shared.
There are exceptional circumstances whereby the Trust may share information about you without your knowledge, for example, in an emergency where you or someone else might suffer substantial harm or distress, where it relates to a 'communicable disease' (such as cholera, plague, smallpox, etc.) or if information is required by law (such as a court order).
Information about carers and relatives of deceased patients may be shared with Health Quality Improvement Partnership Ltd and NHS Benchmarking for the purposes of the National Care at the End of Life (NACEL) Quality Survey. This will be done in a way which does not directly identify them. For more information please see the NHS Benchmarking Fair Processing Notice.
Purposes beyond your individual care
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. This may not apply if you have explicitly consented to take part in a particular research project. In such cases you will be given information about the use of your information when you join the study or project. . Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
You have a choice, called the National Data Opt-Out, about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. The Trust has systems and processes in place to comply with the National Data Opt-Out policy.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters . On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used for health and care research at: https://www.hra.nhs.uk/information-about-patients/ .
You can change your mind about your choice at any time.
The Trust provides Patient Level Costing Information to NHS Digital to enable NHS Improvement to perform its statutory pricing and licensing functions effectively. This does not include any information relating to In vitro fertilisation (IVF) and gender recognition services. The legal basis for the provision is compliance with a statutory duty as NHS Digital requests the information using its power under section 259 of the Health and Social Care Act 2012. A copy of the Data Provision Notice is available on request firstname.lastname@example.org
For further information about how the NHS uses this data please see the NHS Digital website.
Reasonable Adjustment Flag
If you have agreed to have a Reasonable Adjustment Flag on your national NHS records we may add to, or update information on, this with your agreement which will be available to other NHS Organisations assisting in your care.
South Central & West Child Health Information Services (SCW CHIS)
For the purposes of providing medical services to, and the safeguarding of, children the Trust shares Maternity Department Data and Newborn Hearing Screening Data with the SCW CHIS.
The SCW CHIS is a Public Health Service commissioned by NHS England to maintain active and accurate child health records for the local population including children who move in and out of the area; manage queries about the health status of individual children and populations; check who has not yet had their interventions; and ensure that no interventions are duplicated or unintentionally missed.
Information is shared with NHS England and other participating health service providers. Information may be made available through the service to NHS Providers/NHS Business Partners including Local Authorities under an NHS Contract to deliver Child Health Services including Health Visitor teams, Looked After Children co-ordinators, School Nursing Teams, Acute (including Maternity Departments/Units), Newborn Bloodspot Laboratory, Newborn Hearing Screening Providers, Newborn Infant& Physical Examination (NIPE) providers, Vision Screening Providers, and Mental Health and Community Health service providers who are engaged in delivering services to children.
All parties participating in the SCW CHIS have signed specific Data Sharing Agreements to control their access to this patient data. A copy of the Trust’s agreement is available on request. For further information please see the SCW CHIS Privacy Notice.
Take a look at this list of partner organisations of the Trust's main information sharing partners.
What other information about you do we process?
As well as information that you provide to us directly, we also access and use information from other sources to help us provide you with safe and effective health and social care. This may include, for example:
- Your summary care record (SCR) extracted from your GP’s records unless you have opted out of having an SCR. Please follow the link for more information about your SCR
- Information held under a 'Reasonable Adjustments Flag' if you have agreed to have one. You can find out more about this from NHS England
- Additional information from an SCR where you have consented to have this added. This could be about how you would like to be treated, such as where you would prefer to receive care, what support you might need, or who should be contacted for more information about you. The Trust may also update this information with your consent. Use the link to find out more information about adding additional information
- Joining Up Your Information (JUYI): JUYI is a shared care record system for GPs, hospitals, community health, mental health and social care teams which allows the Trust, unless you have objected, to access information from health and social care professionals in Gloucestershire where this is for the purposes of your care. See also JUYI Privacy Notice
- Child Protection Information Service (CP-IS): When a child is known to social services and is a Looked After Child or on a Child Protection Plan, basic information about that plan is shared securely with the Trust by Social Services.
- Other information from NHS providers including your GP Surgery about health care that you have received previously and from partner organisations such as Social Care, housing associations, charities and voluntary and community organisations
How long do we keep your information?
There is a requirement for the Trust to hold a record of your information for a set length of time (which varies according to the type of information that it is). You can find further information on the rules that the Trust must follow in this document created by the Information Governance Alliance – see ‘Records Management Code of Practice for Health and Social Care 2016’).
Where is my information stored?
Some health records are held in paper form but increasingly parts of your health records are now stored electronically as the NHS strives to become paperless.
Almost all electronic records are stored in the UK. However, for a very small minority of services some information may be sent and stored abroad, such as out of hours radiology reporting where information is securely transferred to Australia. We make sure that where information is stored abroad, it has the same level of legal protection as it would if it were stored here.
How we use your information: legal aspects
The ways in which we use your information are governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and has been incorporated into the Data Protection Act 2018. We are required to identify the legal basis under GDPR for processing your information.
In addition, confidential information about you that you give to our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described in our Data Protection and Confidentiality Policy:
- When your information is used or shared for your direct clinical care and related administrative purposes, we rely on Article 6(1)e GDPR - processing is necessary for the performance of a task carried out in the exercise of official authority. The exception in Article 9(2)h of the GDPR - processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services – allows us to use your health data for these purposes.
- In addition we hold health records under Article 6(1)c of the GDPR – processing in compliance with a legal obligation. We have a duty under Regulation 17(2)(c) of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to keep an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken . We may also use your information if necessary for the purposes specified in the other parts of Regulation 17(2). As above, the exception in Article 9(2)h of the GDPR applies in these cases.
- When there is a legal requirement that we provide specified data to NHS Digital for example, for secondary (indirect care) purposes, we rely on Article 6(1)c of the GDPR – processing in compliance with a legal obligation. In cases where the common duty of confidentiality cannot be satisfied through consent this is done with approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006. The exception in Article 9(2)h of the GDPR referred to above also applies
In respect of medical research, in most instances we rely on Article 6(1)e as above, and the exception in Article 9(2)j of the GDPR for research purposes, if and when we use your information for research. On occasions the legal basis may be your explicit consent. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent this is again done with approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
The Trust may treat patients privately. The information in this Privacy Notice generally applies to patient information created and used in the course of private treatment, including information about your rights.
The lawful basis for processing however is the contract with yourself and any insurer rather than our official authority as an NHS provider.
Health records relating to private treatment are stored on the same systems as used for NHS treatment by arrangements with private care providers (typically your Consultant). In such cases the Trust is a joint controller with the Consultant who should provide patients with a separate privacy notice.
Where private treatment is funded by insurance the Trust has arrangements with providers including BUPA for the provision of private treatment. In such cases we will share information with the health insurance provider, as required by our contract with them, for the following purposes:
- To provide clinical quality information
- To notify them of any serious incidents
- To pre-authorise treatment
- To invoice them for services
- To assist them when they are investigating a complaint
You can view the major insurers’ privacy notices as follows (click for hyperlink to notices):
For other insurers, please refer to their own Privacy Notices.
Your information may also be processed by us for auditing payments and income to ensure that we are receiving full value for the use of public assets. Income received is invested to support Trust services.
We are also required by the Competition & Markets Authority Private Healthcare Market Investigation Order 2014 (as amended) to share information about you and your treatment with the Private Healthcare Information Network (PHIN). The information we provide does not directly identify you. For further details see the PHIN Privacy Notice.
What are my rights?
The Data Protection Act gives you certain rights in respect of the information we hold about you. Select a topic below for further information:
- Request a copy of information that we hold about you (read more about how to access a copy of your health record)
- Object to the Trust using your personal data
- Request to have your personal data rectified
- Request to have your personal data erased
- How to submit a request
The Trust may refuse your request (in full or in part) where there is a legal basis to refuse and you will be notified of this.
Object to the Trust using your personal data
You have the right to object to the Trust using/sharing your information, however, there is no automatic right to prevent the Trust using/sharing your information.
Objections will be considered and you will be notified of the Trust’s decision and reason for its decision.
Where we have asked for your consent to collect and use your information, you have the right to withdraw that consent at any time.
Request to have your personal data rectified
You are entitled to have personal data rectified if it is inaccurate or incomplete.
The Trust must respond within 30 calendar days. However, the Trust may extend this period up to 60 calendar days for complex requests.
The Trust may refuse the request if it believes the information is accurate/complete or there is a legal basis to refuse and you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court.
Request to have your personal data erased
This is more commonly known as the ‘right to be forgotten’. You may request to have your data erased where:
- It no longer needs to be kept by the Trust (it has surpassed the minimum retention period)
- Where you withdraw your consent or object to the use of your data and there is no requirement for the Trust to retain the data
- It has been used unlawfully
- The Trust must comply with a legal obligation
- You are under 16 and data has been stored electronically by the Trust at your request
The Trust may refuse your request (in full or part) where there is a legal basis to refuse and you will be notified of this.
How the Trust ensures information is used appropriately
The Trust is required to provide evidence of the steps it takes to ensure information is used appropriately. Find out more
Whenever the Trust changes the way it manages personal data it carries out an assessment, and if any significant risks to privacy are identified a full Data Protection Impact Assessment is carried out as required by the General Data Protection Regulation. Copies of these are available on request in accordance with our Publication Scheme. You can also request copies of any Data Sharing Agreements we have entered into with our partners which we describe in the section “Who might we share your information with?” above.
What to do if you have concerns about the use of your information
You can email the Trust’s
For informal inquiries, you can contact the Patient Advice and Liaison Service.
If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner's Office